Re: Fighting with vnet / jails epair and so on
On 01/19/12 16:08, Bjoern A. Zeeb wrote: On 19. Jan 2012, at 22:33 , Philipp Huebner wrote: On 19/01/12 18:22, Denny Schierz wrote: hi, Am 18.01.2012 um 23:21 schrieb Philipp Huebner: I use 9.0.0 release for host and jail and a generic kernel with OPTIONS VIMAGE being the only change/addition. No problem. so, how looks your rc.conf config ? Do you use vimage the tool? I can't use vimage (as I know) on sparc64. ... I do not use (and never have) the vimage commandline tool. Are you sure you (reading and posting here, plural, in general) sure, that you don't want to read up on freebsd-jail and give the framework a try which might make your life easier... http://lists.freebsd.org/pipermail/freebsd-jail/2011-July/thread.html#1568 I am sure Jamie would like feedback and now that 9.0 is done get review and get it in... /bz Actually I think it's high time for Jamie to get off his butt and just commit the thing. Reviews will likely follow :-). - Jamie ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Fighting with vnet / jails epair and so on
hi, Am 19.01.2012 um 23:33 schrieb Philipp Huebner: > jail_dhcp_exec_earlypoststart0="ifconfig epair9b vnet dhcp" this option doesn't exists in a plain FreeBSD9 install. I had to patch, to get this options. I've written to the jail list too. cu denny___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Fighting with vnet / jails epair and so on
On 19. Jan 2012, at 22:33 , Philipp Huebner wrote: > On 19/01/12 18:22, Denny Schierz wrote: >> hi, >> >> Am 18.01.2012 um 23:21 schrieb Philipp Huebner: >>> >>> I use 9.0.0 release for host and jail and a generic kernel with >>> OPTIONS VIMAGE being the only change/addition. No problem. >> >> so, how looks your rc.conf config ? Do you use vimage the tool? I >> can't use vimage (as I know) on sparc64. > > ... > > I do not use (and never have) the vimage commandline tool. Are you sure you (reading and posting here, plural, in general) sure, that you don't want to read up on freebsd-jail and give the framework a try which might make your life easier... http://lists.freebsd.org/pipermail/freebsd-jail/2011-July/thread.html#1568 I am sure Jamie would like feedback and now that 9.0 is done get review and get it in... /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Fighting with vnet / jails epair and so on
On 19/01/12 18:22, Denny Schierz wrote: > hi, > > Am 18.01.2012 um 23:21 schrieb Philipp Huebner: >> >> I use 9.0.0 release for host and jail and a generic kernel with >> OPTIONS VIMAGE being the only change/addition. No problem. > > so, how looks your rc.conf config ? Do you use vimage the tool? I > can't use vimage (as I know) on sparc64. /etc/rc.conf = jail_enable="YES" jail_v2_enable="YES" jail_dir=/etc/jails jail_list=`ls ${jail_dir}` for j in ${jail_list}; do . ${jail_dir}/${j} done = /etc/jails/dhcp = jail_dhcp_name="dhcp" jail_dhcp_hostname="dhcp.vv.fda" jail_dhcp_devfs_enable="YES" jail_dhcp_rootdir="/jails/dhcp/20120110" jail_dhcp_vnet_enable="YES" jail_dhcp_exec_prestart0="ifconfig epair9 create" jail_dhcp_exec_prestart1="ifconfig bridge300 addm epair9a" jail_dhcp_exec_prestart2="ifconfig epair9a up" jail_dhcp_exec_earlypoststart0="ifconfig epair9b vnet dhcp" jail_dhcp_exec_afterstart0="/etc/rc.jail" #jail_dhcp_exec_poststop0="ifconfig bridge300 deletem epair9a" #jail_dhcp_exec_poststop1="ifconfig epair9a destroy" = /jails/dhcp/20120110/etc/rc.jail = #!/bin/sh . /etc/rc.conf echo "#" echo "# Starting JAIL: $hostname" echo "#" /etc/rc.d/netif start route add default $defaultrouter /etc/rc.d/sshd start /usr/local/etc/rc.d/nrpe2 start /usr/local/etc/rc.d/isc-dhcpd start echo "#" echo "# JAIL $hostname is now up and running!" echo "#" echo == I do not use (and never have) the vimage commandline tool. Regards, Philipp ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Fighting with vnet / jails epair and so on
hi, I've created a new patch (adapted the old freebsd-9RC2 patch) for /etc/rc.d/jail: The original patch: http://wiki.polymorf.fr/files/jail_rc.patch My patch: http://pastebin.com/9LdLwaNA It works (was very happy) if you start the jail, but has problems with stopping: it shows in jls still as active: # jls JID IP Address Hostname Path 1 - template.domain /jails/template If I try to remove with "jail -r 1" than first the process hang, second after while, the whole machine needs a reset. There is no process from the jail active, nor any epair* interfaces or mounts, which is quite good, but ... I you try to create the jail again (after /etc/rc.d/jail stop), it tries to create the epair0a (the last I can see) interface and than it hangs again -> reset needed Also nice to know: # umount /jails/template umount: unmount of /jails/template failed: Device busy Also not possible: a normal reboot after starting / stopping the jail. -> reset needed cu denny___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Fighting with vnet / jails epair and so on
hi, Am 18.01.2012 um 23:21 schrieb Philipp Huebner: > > I use 9.0.0 release for host and jail and a generic kernel with OPTIONS > VIMAGE being the only change/addition. > No problem. so, how looks your rc.conf config ? Do you use vimage the tool? I can't use vimage (as I know) on sparc64. What I did to get it working without /etc/rc.d/jail: jail -c vnet jid="101" name=template host.hostname=template.example.com path=/jails/template/ persist ifconfig epair0 create ifconfig bridge0 addm epair0a ifconfig epair0b vnet 101 jexec 101 ifconfig epair0b 192.168.1.2 netmask 255.255.255.0 jexec 101 route add default 192.168.1.1 ifconfig epair0a up ping 192.168.1.2 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.054 ms inside the Jail I have only "lo" and "epair0b" and it works :-) but even not from /etc/rc.conf and that is the problem. cu denny ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Fighting with vnet / jails epair and so on
Hi, On 19/01/12 00:59, Denny Schierz wrote: > === > > # host: > jexec 2 ifconfig epair0b 192.168.1.2 netmask 255.255.255.0 up > ifconfig: up: permission denied I use 9.0.0 release for host and jail and a generic kernel with OPTIONS VIMAGE being the only change/addition. No problem. > > > # sysctl: > > security.jail.enforce_statfs: 2 > security.jail.mount_allowed: 0 > security.jail.chflags_allowed: 0 > security.jail.allow_raw_sockets: 1 > security.jail.sysvipc_allowed: 1 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 > security.jail.socket_unixiproute_only: 1 > security.jail.set_hostname_allowed: 1 > security.jail.jail_max_af_ips: 255 > security.jail.jailed: 0 > > /etc/rc.conf: > = > jail_enable="YES" > jail_v2_enable="YES" > jail_list="" > jail_sysvipc_allow="YES" I don't have this line, not sure what it does either. > > #JAIL template > jail_list="$jail_list template" > jail_template_name="template" > jail_template_hostname="template.CHANGED" > jail_template_devfs_enable="YES" > jail_template_rootdir="/jails/template" > jail_template_mount_enable="YES" > jail_template_fstab="/etc/jails/fstabs/template" > jail_template_vnet_enable="YES" > jail_template_devfs_ruleset="devfsrules_jail" > > #network > jail_template_exec_prestart0="ifconfig epair0 create" > jail_template_exec_prestart1="ifconfig bridge0 addm epair0a" > jail_template_exec_prestart2="ifconfig epair0a up" > jail_template_exec_earlypoststart0="ifconfig epair0b vnet template" > jail_template_exec_afterstart0="ifconfig lo0 127.0.0.1" > jail_template_exec_afterstart1="ifconfig epair0b 192.168.1.2 netmask > 255.255.255.0 up" > jail_template_exec_afterstart2="route add default 130.83.160.62" > jail_template_exec_afterstart3="/bin/sh /etc/rc" ^^^ The initscript runs /etc/rc already when the jail is created, this makes it run a second time which messed things up for me. When the initscript runs /etc/rc, all the scripts with NOJAIL are skipped. For some reason, when running /etc/rc a second time through this configuration, some daemons like cron were started a second time. I now execute a custom /etc/rc.jail which runs a few init scripts manually to configure networking and start a few daemons that don't come up with the original run of /etc/rc. > jail_template_exec_poststop0="ifconfig bridge0 deletem epair0a" > jail_template_exec_poststop1="ifconfig epair0a destroy" I am not doing this, because shortly after stopping a jail this would give me a kernel panic. If you comment those lines, the devices will stay where they are and simply be re-used the next time you start the jail again. Works without a problem for me. Regards Philipp ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Fighting with vnet / jails epair and so on
hi, Am 18.01.2012 um 16:13 schrieb Shawn Webb: > I've done a bit of research about vnet jails: > http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project I know that tool too, but the host is an envoirenment with SSH only and nothing more and it should be work, without any dependencies. I think "/etc/rc.d/jail" isn't in this state compatible with vnet. cu denny signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Fighting with vnet / jails epair and so on
On 18. Jan 2012, at 15:13 , Shawn Webb wrote: > I've done a bit of research about vnet jails: > http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project There's a simple shell script sample on the wiki as well but it would be really cool if you guys could help testing and review the framework jamie has posted on freebsd-jails@ in the past and give him feedback to get it into the tree. /bz > > On Wed, Jan 18, 2012 at 6:59 AM, Denny Schierz wrote: >> hi, >> >> after most parts works with my bridge setups works, I want to get vnet for >> my jails working. In the morning I started a jail and got only the local >> interface back, but no epair0b. Now I did something so that I can see _all_ >> interfaces from outside (bridge0 / bge* / epair0* ... ) but without any IPs. >> However, I'm not able to give epair0b inside the jail an ip address. I get >> "permission denied". >> >> Also it looks a bit strange: >> >> === -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Fighting with vnet / jails epair and so on
I've done a bit of research about vnet jails: http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project On Wed, Jan 18, 2012 at 6:59 AM, Denny Schierz wrote: > hi, > > after most parts works with my bridge setups works, I want to get vnet for my > jails working. In the morning I started a jail and got only the local > interface back, but no epair0b. Now I did something so that I can see _all_ > interfaces from outside (bridge0 / bge* / epair0* ... ) but without any IPs. > However, I'm not able to give epair0b inside the jail an ip address. I get > "permission denied". > > Also it looks a bit strange: > > === > host# jexec 2 ifconfig > > bge0: flags=8943 metric 0 mtu > 1500 > options=80099 > ether CHANGED > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > media: Ethernet autoselect (1000baseT ) > status: active > bge1: flags=8802 metric 0 mtu 1500 > > options=8009b > ether CHANGED > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > media: Ethernet autoselect (none) > status: no carrier > bge2: flags=8802 metric 0 mtu 1500 > > options=8009b > ether CHANGED > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > media: Ethernet autoselect (none) > status: no carrier > bge3: flags=8802 metric 0 mtu 1500 > > options=8009b > ether CHANGED > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > media: Ethernet autoselect (1000baseT ) > status: active > pflog0: flags=0<> metric 0 mtu 33152 > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > ipfw0: flags=8801 metric 0 mtu 65536 > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > lo0: flags=8049 metric 0 mtu 16384 > options=3 > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > bridge0: flags=8843 metric 0 mtu 1500 > ether CHANGED > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: epair0a flags=143 > ifmaxaddr 0 port 12 priority 128 path cost 2000 > member: bge0 flags=143 > ifmaxaddr 0 port 4 priority 128 path cost 55 > epair0a: flags=8943 metric 0 > mtu 1500 > options=8 > ether CHANGED > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > media: Ethernet 10Gbase-T (10Gbase-T ) > status: active > epair0b: flags=8842 metric 0 mtu 1500 > options=8 > ether CHANGED > ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported > media: Ethernet 10Gbase-T (10Gbase-T ) > status: active > === > > # host: > jexec 2 ifconfig epair0b 192.168.1.2 netmask 255.255.255.0 up > ifconfig: up: permission denied > > > > # sysctl: > > security.jail.enforce_statfs: 2 > security.jail.mount_allowed: 0 > security.jail.chflags_allowed: 0 > security.jail.allow_raw_sockets: 1 > security.jail.sysvipc_allowed: 1 > security.jail.socket_unixiproute_only: 1 > security.jail.set_hostname_allowed: 1 > security.jail.jail_max_af_ips: 255 > security.jail.jailed: 0 > > /etc/rc.conf: > = > jail_enable="YES" > jail_v2_enable="YES" > jail_list="" > jail_sysvipc_allow="YES" > > > #JAIL template > jail_list="$jail_list template" > jail_template_name="template" > jail_template_hostname="template.CHANGED" > jail_template_devfs_enable="YES" > jail_template_rootdir="/jails/template" > jail_template_mount_enable="YES" > jail_template_fstab="/etc/jails/fstabs/template" > jail_template_vnet_enable="YES" > jail_template_devfs_ruleset="devfsrules_jail" > > #network > jail_template_exec_prestart0="ifconfig epair0 create" > jail_template_exec_prestart1="ifconfig bridge0 addm epair0a" > jail_template_exec_prestart2="ifconfig epair0a up" > jail_template_exec_earlypoststart0="ifconfig epair0b vnet template" > jail_template_exec_afterstart0="ifconfig lo0 127.0.0.1" > jail_template_exec_afterstart1="ifconfig epair0b 192.168.1.2 netmask > 255.255.255.0 up" > jail_template_exec_afterstart2="route add default 130.83.160.62" > jail_template_exec_afterstart3="/bin/sh /etc/rc" > jail_template_exec_poststop0="ifconfig bridge0 deletem epair0a" > jail_template_exec_poststop1="ifconfig epair0a destroy" > > === > > Starting jail: > > #/etc/rc.d/jail onestart > > Configuring jails:. > Starting jails:epair0a > ifconfig: up: permission denied > route: writing to routing socket: Operation not permitted > Setting hostname: example.mydomain.com. > > uname -a: > > 9.0-STABLE FreeBSD 9.0-STABLE #0: Tue Jan 17 09:05:42 CET 2012 > > Also, some people say, I have to patch /etc/rc.d/jail (freeBSD 9-rc2) to get > know the new "vnet2", other say, I don't need
Fighting with vnet / jails epair and so on
hi, after most parts works with my bridge setups works, I want to get vnet for my jails working. In the morning I started a jail and got only the local interface back, but no epair0b. Now I did something so that I can see _all_ interfaces from outside (bridge0 / bge* / epair0* ... ) but without any IPs. However, I'm not able to give epair0b inside the jail an ip address. I get "permission denied". Also it looks a bit strange: === host# jexec 2 ifconfig bge0: flags=8943 metric 0 mtu 1500 options=80099 ether CHANGED ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported media: Ethernet autoselect (1000baseT ) status: active bge1: flags=8802 metric 0 mtu 1500 options=8009b ether CHANGED ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported media: Ethernet autoselect (none) status: no carrier bge2: flags=8802 metric 0 mtu 1500 options=8009b ether CHANGED ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported media: Ethernet autoselect (none) status: no carrier bge3: flags=8802 metric 0 mtu 1500 options=8009b ether CHANGED ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported media: Ethernet autoselect (1000baseT ) status: active pflog0: flags=0<> metric 0 mtu 33152 ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported ipfw0: flags=8801 metric 0 mtu 65536 ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported lo0: flags=8049 metric 0 mtu 16384 options=3 ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported bridge0: flags=8843 metric 0 mtu 1500 ether CHANGED ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair0a flags=143 ifmaxaddr 0 port 12 priority 128 path cost 2000 member: bge0 flags=143 ifmaxaddr 0 port 4 priority 128 path cost 55 epair0a: flags=8943 metric 0 mtu 1500 options=8 ether CHANGED ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported media: Ethernet 10Gbase-T (10Gbase-T ) status: active epair0b: flags=8842 metric 0 mtu 1500 options=8 ether CHANGED ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported media: Ethernet 10Gbase-T (10Gbase-T ) status: active === # host: jexec 2 ifconfig epair0b 192.168.1.2 netmask 255.255.255.0 up ifconfig: up: permission denied # sysctl: security.jail.enforce_statfs: 2 security.jail.mount_allowed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 1 security.jail.sysvipc_allowed: 1 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 security.jail.jail_max_af_ips: 255 security.jail.jailed: 0 /etc/rc.conf: = jail_enable="YES" jail_v2_enable="YES" jail_list="" jail_sysvipc_allow="YES" #JAIL template jail_list="$jail_list template" jail_template_name="template" jail_template_hostname="template.CHANGED" jail_template_devfs_enable="YES" jail_template_rootdir="/jails/template" jail_template_mount_enable="YES" jail_template_fstab="/etc/jails/fstabs/template" jail_template_vnet_enable="YES" jail_template_devfs_ruleset="devfsrules_jail" #network jail_template_exec_prestart0="ifconfig epair0 create" jail_template_exec_prestart1="ifconfig bridge0 addm epair0a" jail_template_exec_prestart2="ifconfig epair0a up" jail_template_exec_earlypoststart0="ifconfig epair0b vnet template" jail_template_exec_afterstart0="ifconfig lo0 127.0.0.1" jail_template_exec_afterstart1="ifconfig epair0b 192.168.1.2 netmask 255.255.255.0 up" jail_template_exec_afterstart2="route add default 130.83.160.62" jail_template_exec_afterstart3="/bin/sh /etc/rc" jail_template_exec_poststop0="ifconfig bridge0 deletem epair0a" jail_template_exec_poststop1="ifconfig epair0a destroy" === Starting jail: #/etc/rc.d/jail onestart Configuring jails:. Starting jails:epair0a ifconfig: up: permission denied route: writing to routing socket: Operation not permitted Setting hostname: example.mydomain.com. uname -a: 9.0-STABLE FreeBSD 9.0-STABLE #0: Tue Jan 17 09:05:42 CET 2012 Also, some people say, I have to patch /etc/rc.d/jail (freeBSD 9-rc2) to get know the new "vnet2", other say, I don't need ... so Can anybody bring some light into the darkness of jails and vnet + rc? cu denny ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"